At 10:18 AM -0600 2000/02/22, Andrew Johnson wrote:
"Porter, Rodney" wrote:
>
>
Following up on your security talk at APS, I was wondering if there is
a
> standard way to disable telnet and
rlogin. If not could one be made?
You can inspect the INCLUDE_CONFIGURATION_5_2 macro, which is just
a bunch of #defines, and pick what you want, leaving out telnet and
rlogin. Just move the onces you do want from the grouping
after
#ifdef FALSE to just above it.
By the way, I leave them in, because they are useful to me;
further,
I assume VxWorks is extremeley vulnerable, so to get some real
security,
I:
- put my IOCs on a hidden subnet, for example, using IP
masquerading
on one of my dual-homed servers. This really hides
them from the
Internet (and is good practice for your console Unix/NT
machines as well--
they can still see "out".);
- do not give the IOCs a DEFAULT route; at most, give them
single-host
routes to special hosts not on the hidden subnet. They
will not reply
to any packet not on their own LAN (which would not occur if
using
the IP masquerading technique, of course). You can
still access them
by using ssh once to your above server; then rlogin or via
you serial
port acess method;
- change the default password and login supplied by WRS. Do
this by
looking further down in configAll.h;
- finally, VxWorks is pretty obscure; I still forget to put
quotes
around the arguments to cd and ls.
_________________________________________
____________________________
Stephen
A.
Lewis
|
[email protected]Mail Stop
71-259
| http://www.lbl.gov/~salewis
Lawrence Berkeley National
Laboratory | Tel: +1.510.486.7702
Berkeley, CA
94720
USA
| FAX: +1.510.486.4544